RE: Patching

["Raoul Armfield" <armfield () amnh org>]

:
:OK, so the main idea I get from the list is: a known hole is 
:fixed and the 
:others are (for the moment) unknown. Therefore, patching is a 
:good idea.
:

Correct

:Hmmmm. I am not convinced yet that all this makes sense from a "wider" 
:security perspective. Must a vulnerability / hole be known to 
:be a risk? 
:Security risks do not all come from "out there" and "bad guys" 
:trying to 
:exploit a vulnerability. System errors, data loss may very 
:well occur from 
:holes that are very unknown (or very honest operators that 
:make mistakes).
:
:Once I get a very well oiled and stable infrastructure, I 
:personally suffer 
:everytime I have to disturb that balance. There's a lot of 
:interdependability 
:among the various elements of the whole system. Application X 
:at release n.m 
:needs Middleware Y at release j.k that in turn requires OS Z 
:at release l.m 
:that in turn.... everytime I touch something I feel that I 
:have no control 
:(but that could be just me) of where the ripples are going to 
:end up to.
:
:In such a interdependable environment, even if I assume that I 
:have increased 
:the level of security of one element by patching, I am not 
:convinced that I 
:can say I have increased the security level of the whole.
:
:Sorry if I cannot at the moment phrase it correctly, but there 
:is a loophole 
:in the "patching is necessarly good" axiom that I cannot grasp 
:entirely.
:

I was refering to the idea of patching a known exploit which MAY create
one or more UNKNOWN exploits.  That is worthwhile patch.  Like I said
before an unknown exploit is not an exploit until it becomes known.  

However, you make a good argument when you say that a patch may disturb
the delicate balance you have in your environment.  That is why no one
should surreptitiously patch software just for the sake of patching.
You should patch in a test environment and determine that it will not
upset the balance and determine if the benefits of closing that hole is
worth the risks of upsetting that balance.  It could be that you have
other things in place that will cause that hole to be a non issue

Raoul


---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015
----------------------------------------------------------------------------